Information, tools and how-to's for the new intrusion analyst. Mentoring by blogging.

Tuesday, May 13, 2014

Unzip Gzip

New intrusion analysts will find that web traffic is increasingly compressed due to more and more complex sites with lots of multimedia content. You might use wget to pull down a page in your investigation or use something like Spondulas and end up with a file of mostly "garbage", like this one (intentionally shortened).

Notice we see the Content-Encoding field tells us gzip compression is in use.

The Moloch packet capture program has a built-in gzip decompressor, but if you don't have a tool that will do this automatically, it's easily accomplished manually. Open the file in vi or some other text editor and remove the http header, blanks lines, etc down to the block of text (that starts with the first caret). Save the file with a .gz extension or rename it. Then just run gzip with the -d parameter (to decompress) on the filename. gzip -d

The resulting file should now be unzipped and readable (and no longer have the .gz extension).